Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

2,180 advisories

Loading
Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset High
GHSA-h4g2-xfmw-q2c9 was published for clauster (pip) Jul 10, 2026
mcp-atlassian: Arbitrary file read via missing path validation in confluence_upload_attachment High
GHSA-g5r6-gv6m-f5jv was published for mcp-atlassian (pip) Jul 10, 2026
rainfantry Credited to rainfantry
mcp-atlassian: Arbitrary server-side file read via attachment upload High
GHSA-wm45-qh3g-v83f was published for mcp-atlassian (pip) Jul 10, 2026
0xmagic0 Credited to 0xmagic0
BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py High
CVE-2026-54071 was published for BabelDOC (pip) Jul 10, 2026
EQSTLab Credited to EQSTLab and awwaawwa awwaawwa awwaawwa
Mistune: Potential DoS via quadratic-time parsing in parse_link_text High
CVE-2026-49851 was published for mistune (pip) Jul 9, 2026
bhanugoudm041 Credited to bhanugoudm041
Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser High
CVE-2026-49477 was published for soupsieve (pip) Jul 9, 2026
mauriceng98 Credited to mauriceng98
Soup Sieve has Memory Exhaustion via Large Comma-Separated Selector Lists High
CVE-2026-49476 was published for soupsieve (pip) Jul 9, 2026
mauriceng98 Credited to mauriceng98
Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths High
GHSA-52vm-mxx8-f227 was published for phantom-audio (pip) Jul 9, 2026
leesaenz Credited to leesaenz
Goh3st Credited to Goh3st
`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes High
CVE-2026-49825 was published for lxml_html_clean (pip) Jul 8, 2026
glefait Credited to glefait, frenzymadness, and scoder frenzymadness frenzymadness
scoder scoder
Open WebUI vulnerable to Stored XSS via iFrame embeds in response messages High
CVE-2026-26193 was published for open-webui (pip) Jul 7, 2026
gg0h Credited to gg0h
Open WebUI vulnerable to Stored XSS via iFrame in citations model High
CVE-2026-26192 was published for open-webui (pip) Jul 7, 2026
gg0h Credited to gg0h
Linuxfabrik Monitoring Plugins have local privilege escalation using embedded command High
CVE-2026-55426 was published for linuxfabrik-lib (pip) Jul 6, 2026
OoYo0uto Credited to OoYo0uto
Langroid: handle_message() executes user-supplied tool JSON without sender verification High
CVE-2026-54771 was published for langroid (pip) Jul 6, 2026
u-ktdi Credited to u-ktdi
flyto-core has Unauthenticated Command Execution via HTTP MCP `execute_module` High
CVE-2026-55786 was published for flyto-core (pip) Jul 6, 2026
EQSTLab Credited to EQSTLab
tonghuaroot Credited to tonghuaroot
Open Babel has out-of-bounds write in MOPAC translationVectors[] (UNIT CELL TRANSLATION) High
CVE-2022-46292 was published for openbabel (pip) Jul 6, 2026
OoYo0uto Credited to OoYo0uto
tonghuaroot Credited to tonghuaroot
tonghuaroot Credited to tonghuaroot
chaitanyagarware Credited to chaitanyagarware
Cortex has Untrusted Project Bootstrap Code Execution via `CLAUDE_PROJECT_DIR` High
CVE-2026-49986 was published for neuro-cortex-memory (pip) Jul 1, 2026
EQSTLab Credited to EQSTLab and useworld useworld useworld
ProTip! Advisories are also available from the GraphQL API